How Password Strength Is Measured
Password strength meters seem to run on vibes — until you know the two numbers they're estimating: how many guesses an attacker needs, and how fast they can guess. Both have real math behind them, and the math busts some popular myths.
Entropy: counting the guesses
A password's strength is measured in bits of entropy. For a truly random password, entropy = length × log₂(alphabet size). Each bit doubles the search space:
- 8 lowercase letters: 8 × log₂(26) ≈ 38 bits
- 12 mixed-case + digits: 12 × log₂(62) ≈ 71 bits
- 16 chars, full keyboard: 16 × log₂(95) ≈ 105 bits
Notice the lever: going from 8 to 16 characters roughly tripled the bits, while upgrading the alphabet from 26 to 95 symbols added barely 2 bits per character. Length is the dominant variable — the entire case for passphrases.
Guessing speed: the 10-million-fold gap
Bits only matter relative to guessing speed, and there are two utterly different attack settings:
- Online: guessing through the login form — throttled, rate-limited, perhaps 10⁴ guesses/second before lockouts.
- Offline: the attacker stole the password database and runs GPU rigs against the hashes — 10¹⁰–10¹² guesses/second against weak hashing.
A 40-bit password survives online attack for years and falls offline in seconds. Since you can't know when a service's database leaks, the offline number is the one to plan for — practically, that means 60+ bits, or 80+ for anything critical.
Why P@ssw0rd! fools no one
The formula assumes randomcharacters. Human passwords aren't random — they're words with decorations, and attackers know every decoration: capitalize-first, @-for-a, trailing-!, birth years. Cracking tools apply these as rules to dictionary and leaked-password lists beforebrute force, so “P@ssw0rd!” falls in milliseconds despite its four character classes. Good strength checkers penalize dictionary words, keyboard walks (qwerty, 123456) and known leaked passwords regardless of what the raw entropy formula says.
What actually works
- Random 16+ characters from a generator, stored in a password manager — the gold standard.
- Passphrases: four to five random common words (“correct horse battery staple” style) — 50+ bits, typeable, memorable for the few passwords you must memorize.
- Uniqueness over cleverness: reuse is the real killer; a breach of one site unlocks every account sharing the password. Unique-per-site beats strong-but-reused.
- 2FA wherever offered — it survives even a cracked password.
Test the theory
The password strength checker estimates entropy, shows both online and offline crack times side by side, and flags dictionary words, sequences and repeats — computed entirely in your browser, nothing transmitted. When the verdict disappoints, the password generator fixes it in one click; our strong password guide covers the passphrase method in depth.